Embed Size (px)
Citation preview
Map2Check Using LLVM and KLEE (Competition Contribution)
Rafael Menezes,Herbert Rocha, Lucas Cordeiro and Raimundo Barreto
2SV-COMP 2018UFRR/UFAM/OXFORD
Map2Check
✓ Map2Check automatically generates and checks assertions from safety properties related to:▪ unreachability of an error location▪ arithmetic overflow▪ invalid deallocation▪ invalid pointers▪ memory leaks
✓ Map2Check adopts source code instrumentation to: ▪ monitor the program’s executions▪ validate assertions with safety properties
Metadata
G ! call(__VERIFIER_error())
G ! overflow
Old Map2Check
New Map2Check
3SV-COMP 2018UFRR/UFAM/OXFORD
Map2Check
ESBMC
Map2CheckVC generator
Verification
Clang
FrontendCode Transformation
Symbolic Execution
4SV-COMP 2018UFRR/UFAM/OXFORD
Map2Check - Verification Approach
Flow
5SV-COMP 2018UFRR/UFAM/OXFORD
Map2Check - Verification Approach
Code optimization
Convert the C code
dead code elimination and constant propagation
6
Map2Check - Verification Approach
Add Map2Check library functions
Connect Map2Check library
SV-COMP 2018UFRR/UFAM/OXFORD
%B = alloca i32*, align 8call void @map2check_alloca(...) #10, !dbg !10…call void @map2check_free(...), !dbg !23%9 = call … @free to i32 (i32*, …)*) (i32* %8),!dbg !23
#include <map2check.h>
7
Map2Check - Verification Approach
Apply further Clang optimizations Generate concrete inputs
SV-COMP 2018UFRR/UFAM/OXFORD
Bool is_invalid_free(long address, MAP2CHECK_CONTAINER* log) { ... for(; i >= 0; i--) { LIST_LOG_ROW* row = (LIST_LOG_ROW*) get_element_at(i, *log); ... if(is_free || (!is_dynamic)) {
return TRUE; }else {
return FALSE; } }return TRUE;}
klee_make_symbolic(&non_det, sizeof(non_det), "non_det_int");
new_klee_call(INTEGER, line, scope, value, function_name, Map2CheckCurrentStep);
promote memory to register
8
Map2Check - Verification ApproachVerification result and
generate witnesses
SV-COMP 2018UFRR/UFAM/OXFORD
Map2Check taints program data
$ ./map2check test/tacas2018.c...State 5: file test/tacas2018.c----------------------------------------->>Memory list log
Line content : free(B); Address : 0x7fff32a334e0 PointsTo : 0x7b9010 Is Free : TRUE Is Dynamic : FALSE Var Name : B Line Number : 9 Function Scope : main
-----------------------------------------Violated property:file map2check_property line 9 function mainFALSE-FREE: Operand of free must have zero pointer offset
VERIFICATION FAILED
● KLEE output● Basic block executed in
the control flow graph● Basic blocks as
invariants
9
Proposed Architecture
Map2Check tool is available at https://map2check.github.io
SV-COMP 2018UFRR/UFAM/OXFORD
10
Proposed Architecture
Model using C assertions
Model for CUnit
#include <map2check.h>
Unit Testing Framework
debugging
options/statements for unit testing
SV-COMP 2018UFRR/UFAM/OXFORD
11
Strengths and Weaknesses - Map2Check
SV-COMP’18 results✓ ReachSafety-Arrays (the highest score, i.e., 106)✓ ReachSafety-BitVectors✓ ReachSafety-Heap✓ ReachSafety-Loops✓ ReachSafety-Recursive✓ MemSafety (a score of 228)✓ NoOverflows
SV-COMP 2018UFRR/UFAM/OXFORD
12
Strengths and Weaknesses - Map2Check
✓ Map2Check exploits dynamic information flow by tainting program data
✓ It uses Clang/LLVM as an industrial-strength compiler to simplify and instrument the code
✓ It employs KLEE to produce concrete inputs for different program executions
✓ Map2Check bounds the loops and recursion up to a given depth k
✓ Map2Check can be effective in generating and checking test cases of memory management for C programs
SV-COMP 2018UFRR/UFAM/OXFORD
13
Map2Check - New plans
SV-COMP 2018UFRR/UFAM/OXFORD
American fuzzy lop AFL
Program invariants
● Improve code exploration
● Loops
● Counterexample refinement
● Data flow analysis + polyhedral invariant template
